CISA says it will extend funding to Mitre, which runs the CVE Program, and “there will be no lapse in critical CVE services”, after Mitre said funding expired
CISA says the U.S. government has extended MITRE's funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
BleepingComputer Sergiu Gatlan
Related Coverage
- CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limbo CSO · Cynthia Brumfield
- US funding running out for critical cyber vulnerability database, manager says Reuters
- Funding Expires for Key Cyber Vulnerability Database Krebs on Security · Brian Krebs
- CISA pulls MITRE's CVE program back from the brink of death at the 11th hour Metacurity · Cynthia B Brumfield
- Uncle Sam abruptly turns off funding for CVE program. Yes, that CVE program The Register · Jessica Lyons
- Funding for the critical CVE security detection system renewed just hours before deadline TechRadar
- CVE Program Funding Expires—What It Means And What To Do Next Forbes · Kate O'Flaherty
- CVE security program used by Apple and others has funding removed [U] 9to5Mac · Ben Lovejoy
- A crucial system behind Android security updates just lost its funding (Update: Funding restored) Android Authority · Adamya Sharma
- Trump administration decides to fund CVE cybersecurity tracker after all The Verge · Emma Roth
- CISA reverses course, extends MITRE CVE contract CyberScoop · Derek B. Johnson
- CISA funds CVE program in the 11th hour of contract with MITRE SC Media · Steve Zurier
- 11th-Hour Funding Saves Program That Tracks Software Vulnerabilities PCMag · Michael Kan
- CVE Board members launch the CVE Foundation, a dedicated, non-profit to continue identifying vulnerabilities, after the US ended its contract with Mitre CVE Foundation
- MITRE warns of lapse with CVE program as contract with US set to expire The Record · Jonathan Greig
- MITRE CVE program handed last minute reprieve amid funding lapse concerns ITPro · Rory Bathgate
- cybersecurity just got f***ed John Hammond on YouTube · John Hammond
- CISA extends MITRE-backed CVE contract hours before its lapse FCW · David DiMolfetta
- Mitre, the nonprofit research organization behind the CVE program, says the US government funding needed to develop and operate CVE will expire on April 16 FCW · David DiMolfetta
- VulnCheck to Support the CVE Program Through Potential Contract Transition Business Wire · Ted Weismann
- Security Database Used by Apple Goes Independent After Funding Cut [Updated] MacRumors · Tim Hardwick
- Cybersecurity World On Edge As CVE Program Prepares To Go Dark Forbes · Tony Bradley
- CISA extends Mitre CVE contract at last moment ComputerWeekly.com · Alex Scroxton
- MITRE CVE Contract Extended Just Before Expiration The Cyber Express · Paul Shread
- MITRE Crisis: CVE Cash Ends TODAY — CISA says ‘No Lapse’ Security Boulevard · Richi Jennings
- CISA Provides Last-Minute Support to Keep CVE Program Running Cyber Security News · Guru Baran
- Cybersecurity Alarms Sound Over Loss of CVE Program Funding DeviceSecurity.io · Mathew J. Schwartz
- Could this be the end of CVE? And what does it mean for cybersecurity? BetaNews · Ian Barker
- CVE Program Almost Unfunded Schneier on Security · Bruce Schneier
- MITRE CVE Program Funding Set To Expire Security Boulevard
- VulnCheck to Support the CVE Program Through Potential Contract Transition VulnCheck · Anthony Bettini
- Cybersecurity Alarms Sound as CVE Program Funding Ceases HealthcareInfoSecurity.com · Mathew J. Schwartz
- Funding uncertainty may spell the end of MITRE's CVE program Help Net Security · Zeljka Zorz
- CVE Foundation Launched To Ensure Long-term Vulnerability Tracking Cyber Security News · Guru Baran
- Chaos Reigns as MITRE Set to Cease CVE and CWE Operations Infosecurity · Phil Muncaster
- MITRE Contract Expiration Threatens Global Vulnerability Coordination CyberInsider · Alex Lekander
- MITRE cyber vulnerability database runs out of US government funds today Silicon Republic · Ann O'Dea
- U.S. Govt. Funding for MITRE's CVE Ends April 16, Cybersecurity Community on Alert The Hacker News
- I boosted several posts about this already, but since people keep asking if I've seen it.... MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. … @briankrebs@infosec.exchange · BrianKrebs
- Just as it looked like the US government was set to let funding expire for the CVE program that tracks cybersecurity vulnerabilities, the contract has been extended by 11 months. But the close call has led to the formation of a non-profit that could reduce the reliance on govt funding long-term. https://www.bleepingcomputer.com/ ... #CISA #CVE #MITRE #security @bradlinder@fosstodon.org · Brad Linder
- It looks like the CVE program has been extended but the actual source of the news is yet to be verified. It just says the US Gov. — CISA extends funding to ensure ‘no lapse in critical CVE services’ https://www.bleepingcomputer.com/ ... #InfoSec #Cybersecurity #CVE @beardedtechguy@infosec.exchange
- Looks like the US Government are going to lose control of CVE. https://www.thecvefoundation.org/ @GossiTheDog@cyberplace.social · Kevin Beaumont
- Huge congrats to the folks behind the new CVE Foundation ( https://www.thecvefoundation.org/) - amazing work to be able to announce this so quickly after the news about MITRE's funding expiring broke. … @Infosecjen@infosec.exchange
- “The formation of the CVE Foundation marks a major step toward eliminating a single point of failure”, aka the U.S. Government. — https://www.thecvefoundation.org/ #vulnerabilitymanagement #cve #hacking @soren@expressional.social
- ‼️ ‼️ ‼️ QUICK NOTE: A potential shutdown or disruption of the CVE (Common Vulnerabilities and Exposures) … Jen Easterly
- This will have wide reaching consequences for everyone on the planet. But then so will lots of other things the current administration has done. … Patrick W. Gilmore
- CVE Foundation Launched to Secure the Future of the CVE Program Hacker News
- Mitre-backed cyber vulnerability program to lose funding Hacker News
- CVE program averts swift end after CISA executes 11-month contract extension Lobsters
- CISA Extends Funding To Ensure ‘No Lapse in Critical CVE Services’ 1 Slashdot · Msmash
- Security Database Used by Apple Goes Independent After Funding Cut [Updated] MacRumors Forums
Discussion
-
@tib3rius
@tib3rius
on bluesky
BREAKING. — From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members. [image]
-
@k8em0
Katie Moussouris
on bluesky
We have 11 months to figure out how to make sure this doesn't happen again. — www.bleepingcomputer.com/news/ securit... [embedded post]
-
@xenago
Noah
on bluesky
Hopefully www.thecvefoundation.org steps in regardless. Can't have this program ever lapse. [embedded post]
-
@mmasnick
Mike Masnick
on bluesky
Yiiiiiiiiiiiiiiiiikes. More details here, but this is... really bad. www.nextgov.com/cybersecurit... [embedded post]
-
@slightlyflightyone
Jamie J
on bluesky
this is some of the worst news in cybersecurity history — the global database for documenting security vulnerabilities so that systems administrators and IT professionals use to ensure systems are secure is funded by the U.S. government — its funding was not renewed — it wi…
-
@filippo.abyssdomain.expert
Filippo Valsorda
on bluesky
“I wish CISA would stop assigning out-of-context CVSS scores to our CVEs.” — * monkey paw curls * — https://www.csoonline.com/article/ 3963190/cve-program-faces-swift-end- after-dhs-fails-to-renew-contract- leaving-security-flaw-tracking-in- limbo.html
-
@stimulusfunctions
@stimulusfunctions
on bluesky
So like when the meteorologists all struggled to tell you just how bad the defunding of the NOAA was and could barely find the words? This is that bad, but for computer security. www.nextgov.com/cybersecurit...
-
@dcuthbert
Daniel Cuthbert
on bluesky
Positive www.thecvefoundation.org — Without the CVE process, we don't have any real way, besides legislation (which I'm arguing will help too) to keep vendors honest and hold them to account. — Here's hoping good comes out of recent events
-
@alexandrapaulus
Alexandra Paulus
on bluesky
Plot twist and a surprisingly positive one at that: individuals involved with the CVE database are standing up the CVE foundation to ensure the database can continue to function. — Curious to learn more about the details. — www.thecvefoundation.org
-
@metacurity.com
Cynthia Brumfield
on bluesky
Here's my piece on the ending of the CVE contract. — “Sasha Romanosky, senior policy researcher at the Rand Corporation, branded the end to the CVE program as ‘tragic,’ a sentiment echoed by many cybersecurity and CVE experts reached for comment. — www.csoonline.com/article/3…
-
@waldo.net
Waldo Jaquith
on bluesky
Christ, the wheels are really going to come off now. www.nextgov.com/cybersecurit...
-
@cachiporra
@cachiporra
on bluesky
This is Trump and Musk detonating the foundation of the global software industry. It's unthinkable, it's unfathomable, and it's absolutely fucking hilarious. — Nothing is real anymore, nothing matters. It was all tissue paper in the rain.
-
@edbilodeau@mastodon.social
Ed Bilodeau
on mastodon
Good news, but the only sustainable approach for the CVE program, for all programs really, is to move away from depending on US government funding. — https://www.bleepingcomputer.com/ ...
-
@hrbrmstr@mastodon.social
@hrbrmstr@mastodon.social
on mastodon
Ooh! We're gonna hold bake sales to keep the CVE program alive! — https://www.thecvefoundation.org/ [image]
-
@serghei@mastodon.social
Sergiu Gatlan
on mastodon
A coalition of CVE Board members launched a new CVE Foundation “to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program.” — https://www.thecvefoundation.org/ [image]
-
@r3pek@mastodon.r3pek.org
Carlos Mogas da Silva
on mastodon
Good thing that everything looks like it's gonna get solved before it becomes a real problem! props to everyone involved! 👏 — https://www.thecvefoundation.org #cve
-
@0xtib3rius
@0xtib3rius
on x
BREAKING. From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members. [image]
-
@markyk
Mark Kember
on x
CISA extends CVE spend. Fellow PR professionals, please stand down on specific comments. Do think about the future of software vulnerabilities and long-term management.
-
@litmoose
Moose
on x
Mood update: [image]
-
@ddimolfetta
David DiMolfetta
on x
The update comes just hours after a subset of the CVE Board said it plans to break off to maintain the CVE Program under a new body called the CVE Foundation. Unclear what happens next, but the new group could have a role in future contracting discussions: https://www.thecvefound…
-
@ericgeller
Eric Geller
on x
CISA blinks, extending its CVE contract at the last minute. I'm guessing someone in the Trump administration just learned how important this work is. https://x.com/...
-
@cartunenetwerk
@cartunenetwerk
on x
Bullying works CISA extends funding to ensure 'no lapse in critical CVE services https://www.bleepingcomputer.com/ ...
-
@geotwit4
@geotwit4
on x
Situation bit unclear on something that really, really relies on clear and timely communication I suppose. Seems GitHub “mirror” of the stale database and foundation to manage it were already launched, but this might pull in different directions. MITRE CISA #CVE
-
@jonmasters
@jonmasters
on x
Whether you like how the CVE system works or not, the correct way to do things in a civil society is with planning+notice. CISA has extended funding at the 11th hour, presumably following feedback. “Move fast and break things” is a foolish motto to live by, in tech or government
-
@ddimolfetta
David DiMolfetta
on x
NEW: In an 11th hour move, CISA spokesperson says it extended the contract for the MITRE-backed CVE Program last night: [image]
-
@vxunderground
@vxunderground
on x
Hi, We've archived the MITRE CVE database. The CVE DB is free and open source on GitHub. However, we're providing a backup location for the data. We doubt it'll magically disintegrate in ash, but if it does we have a copy. https://vx-underground.org/...
-
@cyb3rops
Florian Roth
on x
MITRE announced on April 15 that their CVE contract ends on April 16. That timing alone raises some questions. The language in the message feels very deliberate: “We're committed,” “considerable efforts,” “if a break were to occur” - while they know a break will happen the next
-
@ddimolfetta
David DiMolfetta
on x
I've confirmed this is legit. Story on the way.
-
@gergelyorosz
Gergely Orosz
on x
Full article: I guess one lesson is how not to trust government-funded nonprofits for critical infra looking ahead - even if they critical infra helps said country greatly Trust for-profit companies to fund it instead? Hard question https://www.csoonline.com/...
-
@dcuthbert
Daniel Cuthbert
on x
Positive https://www.thecvefoundation.org/ Without the CVE process, we don't have any real way, besides legislation (which I'm arguing will help too) to keep vendors honest and hold them to account. Here's hoping good comes out of recent events
-
@vxunderground
@vxunderground
on x
According to USASpending, MITRE has received approx. $1,500,000,000 since 2008 from the United States government. We could survive approx. 30,000 years with that much money 😂😂😂
-
@gergelyorosz
Gergely Orosz
on x
This is hard to believe, but is happening: the CVE program to end later today? CVE has been the de facto way to track software vulnerabilities - from disclosure to fixing - globally. Feels like everyone will be worse off - and I wonder what will replace this, if anything will [im…
-
@aselawaid
Asela Waidyalankara
on x
A potentially devastating decision with far-reaching implications for the global cybersecurity landscape. U.S. leadership in cybersecurity frameworks and infrastructure has long been a cornerstone in addressing global cyber threats and remains a vital pillar of our shared [image]
-
@jamesberthoty
James Berthoty
on x
Here's how the CVE disclosure system works and why MITRE is a big deal in it: https://link.excalidraw.com/ ... [image]
-
@drewvolpe
Drew Volpe
on x
Funding was pulled for MITRE's CVE, a critical piece of public cybersecurity infrastructure, and it's shutting down. This is amazingly stupid. [image]
-
@mattjay
Matt Johansen
on x
I don't know what happens if NVD and CVE face degradation. [video]
-
@securethisnow
@securethisnow
on x
If a CVE isn't catalogued Is it really a vulnerability? [image]
-
@adefunkebola
@adefunkebola
on x
Lemme explain what that means to the uninitiated. Mitre is a government organisation that contains repository of all the vulnerabilities that has been exposed/exploited so far. It is through this repository that antivirus and other malware detectors (eg virustotal) are based on.
-
@banthisguy9349
@banthisguy9349
on x
No CVE Database is no vulnerabilities anymore right? Problem solved [image]
-
@mattjay
Matt Johansen
on x
Vuln Management teams about to have a bad week.
-
@rsnake
Robert Hansen
on x
Reposting to fix my comment. MITRE is about to run out of money - as in tomorrow. MITRE is laying of 400+ people by early June. This directly affects CVE. My guess is what will happen is there will be a new non-profit funded by the CNAs, but it remains to be seen.
-
@vxunderground
@vxunderground
on x
[image]
-
@_johnhammond
John Hammond
on x
i crapped out a video to shout about the MITRE CVE fiasco if you want to hear me ramble and rant https://www.youtube.com/...
-
@cyb3rmonk
Mehmet Ergene
on x
Quick response to secure CVE program [image]
-
@ericgeller
Eric Geller
on x
MITRE supports a ton of federal cybersecurity work, with the CVE program probably being the most famous example. It's a globally used repository for vital information about vulnerabilities. https://cve.mitre.org/ I've asked DHS what's going on with the MITRE contract.
-
@feross
@feross
on x
🚨 The CVE program is about to go dark. MITRE just confirmed their funding to run CVE and CWE expires tomorrow. That's the main database the world relies on to track known vulnerabilities in software. Yes, the CVE. The backbone of the entire vuln ecosystem. No CVEs = no shared [im…
-
@talbeerysec
Tal Be'ery
on x
Unpopular(?) opinion: CVE project requires an overhaul. Some examples: Not dealing with cloud where much of the action happens is a mistake (see https://www.cloudvulndb.org/) Website has 90s look & feel. I hope CVE will find a new home that will rejuvenate it.
-
@cyb3rops
Florian Roth
on x
Ah 👀 https://www.thecvefoundation.org/ [image]
-
@_0xkiwi
@_0xkiwi
on x
For additional context: The program is administered by MITRE, paid for by CISA, and run by an independent board of directors. Content is created by individual vendors as CVE Naming Authorities (CNA). so its a community program.
-
@_johnhammond
John Hammond
on x
wHAT tHE F###
-
@vxunderground
@vxunderground
on x
This random document fell off the back of a bus. Weird. This random document which randomly fell off the back of a bus (randomly) says MITRE is no longer supporting the CVE program as of April 16th, 2025. Which is crazy, because this random document is dated April 15th, 2025. [im…
-
@tonikjdk
Jim Kennedy
on x
You all are misreading the MITRE CVE situation. MITRE ran out of numbers and was not prepared to move to CVEv6.
-
r/cybersecurity
r
on reddit
CISA restores CVE funding
-
r/GooglePixel
r
on reddit
Future Monthly Pixel Security Updates Will Be Interesting
-
r/Android
r
on reddit
A crucial system behind Android security updates just lost its funding
-
r/netsec
r
on reddit
MITRE support for the CVE program is due to expire today!
-
r/cybersecurity
r
on reddit
The CVE Foundation announced to replace MITRE government cuts
-
r/nottheonion
r
on reddit
Uncle Sam abruptly turns off funding for CVE program. Yes, that CVE program
-
r/neoliberal
r
on reddit
Homeland Security funding for CVE program expires • The Register